What is ICA?
by Democritus "Father of Materialism"
Have you ever dialed a number and come across this?
**ICA* *ICA* *ICA
What Is It?
ICA, or Independent Computing Architecture, is a protocol developed by Citrix Systems, Inc. and is used to connect thin clients to phat servers.
Why "PHAT" Servers?
Well, because those servers are exceedingly rich targets. We'll get to that later.
What Is Thin Client Technology?
Well, in case you have been out of the loop for a while, thin client technologies are becoming popular in the corporate environment. The basis for thin client is that thin clients can be simple machines, with very little resources to manage, lowering (in theory) the Total Cost of Ownership (TCO). All applications run on a central server, which centralizes the management of the applications, eases the maintenance of the applications, eases upgrades, all lowering TCO.
The most appealing aspect of thin clients is the fact that those old, tired i486s running DOS can run the Citrix WinFrame Client, connect to the server and run all the latest applications. You don't need to spend $4M to replace 2000 i486s with Pentium IIs when you can spend $1M on a few servers loaded with Citrix.
The server, which needs to be pretty hefty, runs all the applications for the clients, and passes only the graphics back to the client. The client software captures the keyboard and mouse and redirects them to the server. The information passing between the client and server are therefore minimal.
Citrix WinFrame allows remote clients to connect by LAN, dial-up, or IP over the Internet. Essentially, it can be used by telecommuters from home, or by road warriors with their laptops. There are clients for DOS, Win 3.1, 95, NT, and Mac which means, regardless of what computer you have, you can connect to the server and do your work, a boon for IT managers.
[The one drawback to Citrix WinFrame is that it is based on Windows NT 3.51. Because of this, not all applications will run on it. The version based on Windows NT 4.0 was bought out by Microsoft, code named "Hydra." Hydra is in beta testing and will be out later this year.]
Why Are Citrix WinFrame Servers Such Rich Targets?
To begin with, the WinFrame server is a centralized server serving many clients - it therefore needs to be loaded with everything possible the users might need. Even if there are several servers, the domain structure of NT should allow certain users access to everything. Another reason is the defensibility of Citrix. Because Citrix WinFrame can be so heavily fortified against unauthorized access, more can be loaded on it with greater confidence. Since we're looking at Citrix WinFrame servers that have been set up for remote access by users, we're looking at servers that give full access to authorized users to all sorts of databases... of course, we're in here just for curiosity, not for profit. That would be highly illegal, and even more unethical. Remember The Hacker Manifesto.
Um, What Fortifications?
There are several levels of security. The first you've already seen. Without the ICA protocol, you're stuck. This one is simple enough, you can download the client from the website. Of course, even more basic is the phone number or IP address. These are not going to be published. Also, if you're going to connect over IP, you have to consider firewalls and odd ports.
Unfortunately, the second security level may still stop you here. Citrix WinFrame can be set to provide access only to clients with encryption enabled. Oh, and you can't get the encryption enabled client off the web site - the software is only available from the encryption enabled server. O.K., so you use some social engineering and find the client.
The third level is the username and password. Standard NT security and hack stuff here. Note that, if the WinFrame server is connected to a NetWare server, the username and password are synched to the NetWare login and password.
The fourth level is the toughest to hack, and may be unhackable at all (if it exists - this level is a very expensive option, costing roughly $50,000 for 100 users!). The server may be protected by an ACE/Server, from Security Dynamics. The ACE/Server is a challenge/response system - when a user logs and is authenticated by the NT/NetWare server, the session is passed to the ACE/Server. The ACE/Server prompts the user for a PASSCODE. This passcode, anywhere from 4 to 16 alphanumeric characters, is the killer.
The PASSCODE consists of a PIN plus a unique number generated by the SecurID card. (This was mentioned in the Winter issue by Seraf.) The SecurID card generates a unique number every 60 seconds - the user has 60 seconds to type in the PIN and the number. If they mistype the number, or the 60 seconds expires, they will have to re-enter the PASSCODE using the newly generated number. The number is unique per 60 seconds, and unique per user!
So How Do I Get In?
If everything is set up as it is supposed to be, you don't. But no system is set up perfectly... and that's why you're a hacker, right?
The hardest part, as I said, is the PASSCODE. NT and NetWare hacks you can find out elsewhere.
The PASSCODE, on the ACE/Server, cannot be bypassed from the outside. The SecurID can, however, be removed, disabled, or changed to a password by an administrator with access to the ACE/Server console. Ditto with the PIN. Of course, you've got to convince the administrator you're a valid user who's "lost" his SecurID and PIN.
But that's not hacking, that's lying. No fun in that.